Skip to content

Commit

Permalink
Update bytecode api functionality levels and add news from recent pat…
Browse files Browse the repository at this point in the history
…ch versions
  • Loading branch information
micahsnyder committed Feb 5, 2024
1 parent 12fb698 commit 5f934c1
Show file tree
Hide file tree
Showing 2 changed files with 77 additions and 0 deletions.
68 changes: 68 additions & 0 deletions NEWS.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,40 @@ Special thanks to the following people for code contributions and bug reports:
- RainRat
- teoberi

## 1.2.2

ClamAV 1.2.2 is a critical patch release with the following fix:

- [CVE-2024-20290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20290):
Fixed a possible heap overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.

Affected versions:
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1

Thank you to OSS-Fuzz for identifying this issue.

- [CVE-2024-20328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20328):
Fixed a possible command injection vulnerability in the `VirusEvent` feature
of ClamAV's ClamD service.

To fix this issue, we disabled the '%f' format string parameter.
ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME`
environment variable, instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly in the `clamd.conf`
`VirusEvent` command.

Affected versions:
- 0.104 (all patch versions)
- 0.105 (all patch versions)
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1

Thank you to Amit Schendel for identifying this issue.

## 1.2.1

ClamAV 1.2.1 is a patch release with the following fixes:
Expand Down Expand Up @@ -501,6 +535,40 @@ Special thanks to the following people for code contributions and bug reports:
- Sebastian Andrzej Siewior
- The OSS-Fuzz project

## 1.0.5

ClamAV 1.0.5 is a critical patch release with the following fixes:

- [CVE-2024-20290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20290):
Fixed a possible heap overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.

Affected versions:
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1

Thank you to OSS-Fuzz for identifying this issue.

- [CVE-2024-20328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20328):
Fixed a possible command injection vulnerability in the `VirusEvent` feature
of ClamAV's ClamD service.
To fix this issue, we disabled the '%f' format string parameter.
ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME`
environment variable, instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly in the `clamd.conf`
`VirusEvent` command.
Affected versions:
- 0.104 (all patch versions)
- 0.105 (all patch versions)
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1
Thank you to Amit Schendel for identifying this issue.
## 1.0.4
ClamAV 1.0.4 is a patch release with the following fixes:
Expand Down
9 changes: 9 additions & 0 deletions libclamav/bytecode_api.h
Original file line number Diff line number Diff line change
Expand Up @@ -167,10 +167,19 @@ enum FunctionalityLevels {

FUNC_LEVEL_1_0 = 160, /**< LibClamAV release 1.0.0 */
FUNC_LEVEL_1_0_1 = 161, /**< LibClamAV release 1.0.1 */
FUNC_LEVEL_1_0_2 = 162, /**< LibClamAV release 1.0.2 */
FUNC_LEVEL_1_0_3 = 163, /**< LibClamAV release 1.0.3 */
FUNC_LEVEL_1_0_4 = 164, /**< LibClamAV release 1.0.4 */
FUNC_LEVEL_1_0_5 = 165, /**< LibClamAV release 1.0.5 */

FUNC_LEVEL_1_1 = 180, /**< LibClamAV release 1.1.0 */
FUNC_LEVEL_1_1_1 = 181, /**< LibClamAV release 1.1.1 */
FUNC_LEVEL_1_1_2 = 182, /**< LibClamAV release 1.1.2 */
FUNC_LEVEL_1_1_3 = 183, /**< LibClamAV release 1.1.3 */

FUNC_LEVEL_1_2 = 190, /**< LibClamAV release 1.2.0 */
FUNC_LEVEL_1_2_1 = 191, /**< LibClamAV release 1.2.1 */
FUNC_LEVEL_1_2_2 = 192, /**< LibClamAV release 1.2.2 */

FUNC_LEVEL_1_3 = 200, /**< LibClamAV release 1.3.0 */
};
Expand Down

0 comments on commit 5f934c1

Please sign in to comment.